CVE-2025-22372: Insecure password storage in SicommNet BASEC

8.4 CVSS

Description

Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.
Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.

This issue affects BASEC: from 14 Dec 2021.

Classification

CVE ID: CVE-2025-22372

CVSS Base Severity: HIGH

CVSS Base Score: 8.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/V:C

Problem Types

CWE-522 Insufficiently Protected Credentials

Affected Products

Vendor: SicommNet

Product: BASEC

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.38% (scored less or equal to compared to others)

EPSS Date: 2025-04-16 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22372
https://basec.sicomm.net/login/
https://csirt.divd.nl/DIVD-2025-00001
https://cisrt.divd.nl/CVE-2025-22372

Timeline

2025-04-14 16:40:18 UTC
CVE

Insecure password storage in SicommNet BASEC